python-requests bundles it's own cacert list (although the ubuntu .deb version might use the central certificate store - not sure about that), which might be outdated. Some older cacert lists have issues with RapidSSL certificates (this is an issue with the list bundled with httplib2, for example).
We use pywikibot's httplib2 which solves the issue Merlijn mentions here. For requests though, the last commit message on their cacert.pem file makes me like your original thought that requests should be updated:
https://github.com/kennethreitz/requests/blob/master/requests/cacert.pem